Data Processing Addendum This Data Processing Addendum (the “Addendum”) is attached to and forms part of the Hosting Services Agreement, the Cloud Terms of Service or other terms of service in which this Addendum is incorporated by reference (the “Agreement”).
Background
(a) Selerum has agreed to provide information technology hosting Services and/or Support to Customer, as detailed in the Agreement. Such Services and Support may involve access by Selerum to the Customer’s Hosted System.
(b) Customer may use the Hosted System and Services to store and/or otherwise Process data, including Personal Data.
(c) Selerum does not determine the types of data stored by Customer using the Hosted System and Services or how such data is classified, accessed, exchanged or otherwise Processed. Selerum Processes such data only at the direction of its Customers and in accordance with the terms of the Agreement and this Addendum.
Selerum and Customer agree as follows:
Selerum and Customer agree that Customer is the Controller or primary Processor of Personal Data. Parties agree to comply with the following provisions with respect to any Personal Data stored and/or otherwise Processed on the Hosted System and/or through the Services.
-
DEFINED TERMS
Capitalized terms not otherwise defined in this Addendum shall have the meaning given to them in the Agreement. For the purposes of this Addendum, the following additional definitions apply:
“Controller” means a person or entity that determines the purposes and means of the Processing of Personal Data.
“Processor” or “Sub-processor” means a person or entity that Processes Personal Data on behalf of a Controller and/or Processor, as applicable.
“Processing” or “Process” means any operation or set of operations that is performed upon Personal Data.
“Selerum Infrastructure” means (i) Physical facilities used by Selerum; (ii) Selerum’s corporate network and the non-public, internal network, software and hardware necessary to the running of Selerum, which is controlled by Selerum; in each case to the extent used to provide the Services.
-
OBLIGATIONS OF SELERUM
2.1 Selerum’s Role in the Processing of Customer’s Personal Data. Selerum shall Process Personal Data only as a Processor or Sub-processor on Customer’s behalf and only to the extent and in such a manner as is necessary for the purposes specified by and in accordance with this Addendum, the Agreement or as otherwise instructed by the Customer from time to time. Such 2 Customer instructions shall be documented in the applicable Order, Services Description, a customer support ticket, or other written communication. Where Selerum reasonably believes that a Customer instruction is contrary to: (i) applicable law and regulations and/or (ii) the provisions of the Agreement or Addendum, Selerum shall inform the Customer and is authorized to defer the performance of the relevant instruction until it has been amended by Customer or is mutually agreed by both Customer and Selerum.
2.2 Technical and Organizational Measures. Selerum shall maintain and implement reasonable and appropriate technical and organizational measures in relation to the security of the Hosted System, the Selerum Infrastructure and the Services. Customer acknowledges and agrees that those reasonable and appropriate technical and organizational measures are detailed at the sub-sections below.
2.2.1 Selerum shall maintain and implement those security practices that are (i) at least as stringent as the minimum security practices detailed at http://www.selerum.com/legal/securitypractices, and (ii) required by the terms of the Agreement.
2.2.2 Selerum shall limit access to the Selerum Infrastructure to the Qualified Personnel. Where Selerum requires access to the Hosted System as is necessary for the purpose of fulfilling its obligations under the Agreement or Addendum, it shall limit such access to the Qualified Personnel. For the purposes of this sub-section the “Qualified Personnel” means those employees and/or agents, consultants, subcontractors or other third parties (i) who are engaged by Selerum so that it may fulfil its obligations to Customer under the Agreement or Addendum, and (ii) who are subject to confidentiality and security obligations that are the same or substantially similar to the confidentiality and security obligations set forth in the Agreement and Addendum.
2.3 Notifications. Selerum shall notify the Customer as soon as reasonably practicable in writing:
2.3.1 of any communication received from an individual relating to (i) an individual’s rights to access, modify, correct, delete or block his or her Personal Data and (ii) any complaint about Customer’s Processing of Personal Data;
2.3.2 to the extent not prohibited by law, of any subpoena or other judicial or administrative order or proceeding seeking access to, or disclosure of, Personal Data;
2.3.3 to the extent not prohibited by law, of any complaint, notice or other communication that relates to Customer’s compliance with data protection and privacy law and the Processing of Personal Data. Selerum shall provide the Customer with commercially reasonable cooperation and assistance (at Customer’s expense) in relation to such complaint, notice or communication; and
2.3.4. of a material breach of security of the Hosted System in accordance with the applicable law, and of any Processing of Customer’s Personal Data that is not specified by or in accordance with the Addendum or the Agreement or as otherwise instructed by the Customer.
2.4 Selerum’s Compliance with Law. Selerum shall comply with the privacy and security laws applicable to its provision of the Services under the Agreement and its obligations under this Addendum. Where required by applicable law, Selerum shall appoint a data protection officer who shall discharge its function in accordance with applicable law. The data protection officer’s details shall be provided to the Customer upon request.
2.5 Security and Audit. Selerum shall use hosting providers that engage qualified third party auditors to perform examinations of its systems and services in accordance with: the best practice recommendations of ISO 27002, for the purpose of auditing the provider’s compliance with ISO 27001; SSAE 16 and ISAE 3402 compliance frameworks, and the AT 101 compliance framework (based upon select Trust Services Principles); and/or equivalent industry standards. Provider’s annual SOC report(s) or suitable equivalent standard(s) as specified by Selerum is available to Customer upon the Customer’s request subject to Selerum’s SOC distribution requirements. Subject to Selerum’s policies and the terms of the Agreement, and only to the extent not covered by the independent audit reports set forth above, Selerum may agree (at Customer’s expense) that the Customer or its representatives may perform physical and/or electronic reviews of the security of the Hosted System or evaluate and monitor Selerum’s compliance with its security obligations set forth under the Addendum.
-
OBLIGATIONS OF CUSTOMER
3.1 Customer’s Compliance. In addition to Customer’s obligations stated in the Agreement, Customer is responsible for (i) integrity, security, maintenance and appropriate protection of Personal Data, and (ii) ensuring its compliance with any applicable privacy, data protection and security law and regulation relative to: (a) its Processing of the Personal Data; (b) its use of the Hosted System and Services; and (c) any and all data Processing registration or notification requirements to which Customer is subject under the applicable law. For the avoidance of doubt, applicable law for the purposes of this Sub-section includes that law referenced at Section 6.2 of this Addendum.
3.2 Customer’s Data Processing. Customer is the primary system administrator (i) of the Hosted System and (ii) with regard to how Personal Data is stored, classified, exchanged or otherwise Processed using the Hosted System and Services. Customer has full access to log into the Hosted System remotely. Customer may make the following changes to the Hosted System and Personal Data as required: (i) uploading and deleting Personal Data; (ii) configuring software and security settings; (iii) adding or removing local users; and (iv) changing passwords.
3.3 Notifications. Customer agrees to make any required notifications to, or obtain required consents and rights from, individuals in relation to Selerum’s provision of any work or services to Customer. Where Selerum receives the communication described at Sub-section 2.3.1 and 2.3.3 and notifies Customer of such communication, it is Customer’s responsibility to respond to and take all other appropriate action with regard to the communication. Customer agrees to immediately notify Selerum of any unauthorized use of Services or Customer’s account or of any other breach of security involving the Hosted System or Services.
3.4 Technical and organizational measures. Customer is solely responsible for implementing and maintaining security measures and other technical and organizational measures appropriate to the nature and volume of Personal Data that Customer stores and/or otherwise Processes using the Hosted System and/or Services. Customer is also responsible for the use of the Services by any of its employees, any person Customer authorizes to access or use the Services, and any person who gains access to its Personal Data or the Services as a result of its failure to use reasonable security precautions, even if such use was not authorized by Customer. Customer may purchase supplementary services from Selerum in order to meet its obligations under this Sub-section 3.4.
-
COOPERATION
4.1 Customer and Selerum cooperation. Customer and Selerum agree to cooperate as reasonably required to protect the Selerum Infrastructure, the Hosted System and Personal Data. Customer must cooperate with Selerum’s reasonable investigation of Service outages, security problems, and any suspected security breach.
4.2 Selerum’s assistance with Customer’s Compliance requirements. During the term of Customer’s Agreement with Selerum, Customer may request that Selerum assist Customer to comply with Customer’s obligations under applicable data protection or privacy law and regulations provided (i) such obligations are relevant to the Hosted System, Selerum Infrastructure and Services that support the Processing of Personal Data, (ii) such obligations are reasonable, and (iii) if Selerum agrees to so assist, it shall be at the Customer’s expense.
-
SUB-PROCESSING
In accordance with the Agreement, Selerum may need to engage a Sub-processor when necessary to provide Services and Support to Customer. Customer agrees that Selerum may give those Subprocessors (including but not limited to Selerum’s Affiliates) access to Customer’s Hosted System strictly for Selerum’s legitimate business purposes. Customer further agrees that those Subprocessors may be based outside of the state, province, country or other jurisdiction in which Customer has chosen to store the Personal Data. Selerum requires that its Sub-processors maintain security and confidentiality practices that are consistent with the Agreement, this Addendum, and Selerum’s privacy and information security policies, as applicable. Any Selerum Affiliate that has access to Customer’s Hosted System has agreed to secuirty and confidentiality practices consistent with this agreement. Selerum remains responsible to Customer under the Agreement for Services performed by its Subprocessors to the same extent as if Selerum performed the Services itself.
-
DATA CENTER LOCATION AND DATA TRANSFER
6.1 Selerum Data Centers. Customer may select the territory in which it stores and Processes Personal Data. Unless otherwise specified in the Agreement, Selerum shall not relocate Customer’s Hosted System to a Selerum data center in another territory.
6.2 Data Transfer. Customer agrees that if the location of its Personal Data is outside of Customer’s own state, province, country or other jurisdiction, then the Customer’s obligation to comply with all applicable law as set forth in the Agreement and this Addendum includes an obligation to comply with the law of the state, province, country or other jurisdiction in which the Personal Data is hosted by Selerum. Customer acknowledges and agrees that Selerum and its Sub-processors may provide the Services and Support from any state, province, country or other jurisdiction.
-
CUSTOMER ACCOUNT INFORMATION
Personal Data that Selerum collects about Customer (other than Customer Data) during the purchase, account sign-up, use or maintenance of Customer’s account, shall be processed by Selerum in accordance with its then-current Privacy Statement at www.selerum.com/legal/privacy.
Source URL: http://www.selerum.com/legal/dataprocessing
© 2016 Selerum, Inc.